11-20-2023 08:01 AM
I have an HA pair of firewalls in my data center. I have a single ISP that provides two routers for internet access. I use HSRP on those routers, which obviously share the same subnet on the inside interface that connects to the outside interface of the Palo Alto firewalls. I have two instances of HSRP setup to where some of my other perimeter devices can use ISP router A and the Palo Alto can use ISP router B. I'd like to get the Palo Alto to use both router A and B though. Can I add an additional default route to the virtual router that uses the other router's HSRP IP and then enable ECMP? I would have two default routes on the same virtual router; one going to router A's HSRP IP and one going to router B's HSRP IP.
I can't seem to find any examples of using ECMP via a single interface. All examples are when you have two separate interfaces that you want to route out of. Would this setup work?
11-20-2023 04:51 PM
Hi @dustin.campbell ,
I don't see why it wouldn't work. ECMP will allow for multiple routes to the same destination. I doubt it does an interface check except to verify it is a L3 interface. Follow the dual-interface example, but point your 2 routes to the same interface.
Check your routing table (Network > Virtual Routers > More Runtime Stats) to verify both routes are present. You could even configure path monitoring for your static routes for automatic failover. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/static-routes/configure-path-m...
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
